14 DAY TRIAL // Microsoft has added a new feature in the latest Windows 11 preview build that makes it possible for IT admins to exclude USB drives from BitLocker encryption.
This obviously makes sense for devices that don’t necessarily require the feature, such as video cameras, with the company explaining that IT admins can configure the new option with a special policy.
Needless to say, this feature comes in handy mostly to IT admins, and setting up the exclusions for BitLocker encryption isn’t exactly the most straightforward process.
The company has provided instructions on how to do this on this page, but as a summary, you can do the whole thing by creating a custom template using the hardware ID of the device you want to exclude using a new profile in Intune.
Currently in the preview stage
“We are introducing a new policy so that IT administrators can exclude USB removable drives from BitLocker encryption. This will solve the problem of automatic or accidental encryption of storage built into specialized devices like video cameras, voice recorders, conferencing systems, medical devices and many more,” Microsoft explains.
“When this policy is enabled, you will not be able to encrypt storage that is on the exclusion list, and you will not be prompted for encryption if you connect such storage to a device while “Deny write access to removable drives not protected by BitLocker” policy is enabled on it. This policy so far can only be configured via MDM custom OMA-URI.”
At this point, the new feature is still part of the Windows Insider program, but it should go live for production devices at some point in the next Windows 11 updates. There’s a chance Microsoft will use a quality update to introduce it for all IT admins out there, so we might not have to wait for a feature update such as the 22H2 to get our hands on it.